onContinuePostLogin: The session token is invalid: Unexpected token payload type

felix.seidl · August 15, 2022, 9:44am

Hi,

I’m working on Post Login action that uses a redirect and then tries to access some data from an external website.

when calling validateToken I’m getting an error (“The session token is invalid: Unexpected token payload type”) and I don’t know exactly what the problem is.

The token I’m returning looks like this:

{
  "state": "hKF***",
  "favorite_color": "blue",
  "iat": 1660555965,
  "sub": "auth0|***",
  "iss": "***.azurewebsites.net",
  "exp": 1660556025
}

I’m signing the token with HS256 and a shared key both known to the action and the external service.

dan.woda · August 26, 2022, 9:26pm

Hi @felix.seidl,

Welcome to the Auth0 Community!

How are you creating the token? Can you give us a code snippet of your action?

Also have you tried checking your token with jwt.io to see if it is valid?

Let me know,
Dan

felix.seidl · August 29, 2022, 7:02am

Hi @dan.woda,

Thanks for reaching out.

I’m using the ‘jose’ npm package to create the token on on the external site:

const secret = new TextEncoder().encode(shared_secret);
const jwt = await new jose.SignJWT({ state: stateParameter, favorite_color: "blue" }) // some dummy value
    .setProtectedHeader({ alg: 'HS256' })
    .setIssuedAt()
    .setSubject(userId)
    .setIssuer('***.azurewebsites.net')
    .setExpirationTime('1m')
    .sign(secret);

the redirect back to auth0:

window.location.replace(`https://***.eu.auth0.com/continue?state=${stateParameter}&token=${token}`);

onContinuePostLogin:

const payload = api.redirect.validateToken({
      secret: event.secrets.sharedsecret,
      tokenParameterName: "token",
    });

I have checked the token on jwt.io but saw no problems.

dan.woda · August 30, 2022, 12:01am

Can you share (or DM) an example of the payload? This error suggests the payload is malformed.

felix.seidl · August 30, 2022, 7:42am

I can reproduce this error with the payload from the example (favorite_color: "blue")

bryanc · September 14, 2022, 7:13pm

I also receive this same error, using the same code as above. I verified it on jwt.io as well. Any help here? The error message isn’t giving back any additional context.

miguelangelgalindez · January 20, 2023, 2:58am

You just need to set the typ header alongside the alg header. You will need something like this: .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })

Then, your code would look like this:

const secret = new TextEncoder().encode(shared_secret);
const jwt = await new jose.SignJWT({ state: stateParameter, favorite_color: "blue" }) // some dummy value
    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
    .setIssuedAt()
    .setSubject(userId)
    .setIssuer('***.azurewebsites.net')
    .setExpirationTime('1m')
    .sign(secret);

I know it’s too late, but I’m leaving the answer for anyone else struggling with this.

konrad.sopala · January 20, 2023, 9:04am

Thanks for sharing that with the rest of community!

system · February 3, 2023, 9:04am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.